But does this mean that all vulnerabilities that only affect admin users are not valid? No.
But just because a vulnerability is unlikely to be exploited, or is difficult to exploit, does not mean that we should ignore it. WordPress powers so much of the web it’s hard to keep up with the latest market share percentages. There must be thousands of different types of configurations and implementations, and we can not assume, just because a vulnerability is of low risk, that it won’t affect one of those sites in a more serious way.
Here are a couple of examples of administrator XSS vulnerabilities from our WordPress vulnerability database: